Identity Governance provides risk levels to help you classify and label risk factors that matter to your organization. You can configure the number of levels, size of levels, and names of levels to make them appropriate for your organization and stakeholders. Risk scoring provides a means for manually setting or calculating risk for the entire organization as well as for catalog objects and policies.
Identity Governance administrators can customize the following risk policies:
Risk level configuration
Governance risk score
Application risk score
User risk score
Risk score schedule
Users with the following authorizations can manage and customize risk settings for your Identity Governance environment:
Customer, Global, or Data Administrator
Auditor (read only)
See the following sections for more details about how Identity Governance helps you manage risk in your environment:
Identity Governance gives you the flexibility to create a risk scale of your own choosing. If your environment requires a high level of granularity, you can specify up to 10 risk levels. When you set the risk level size, Identity Governance automatically divides the risk levels in even increments and sets the maximum risk value for calculated values to the maximum value specified in your settings. You can further customize the risk levels by providing your own naming system to the levels. A color-code is assigned to each level ranging from blue at the low end to red at the high end.
A risk score quantifies the level of risk that an entity, such as a user or account, exposes an organization to. A higher risk score indicates that you have identified that item as riskier to your organization. You can manually set risk scores by collecting risk score attributes along with objects you collect or by using Identity Governance to assign risk scores to individual objects.
You can collect risk scores or assign risk scores to the following items:
Users
Accounts
Applications
Permissions
Technical roles
Separation of duties policies
Business roles
Certification policies
A calculated risk score is based on risk factors and the relative weighting of those factors that you define. You can configure Identity Governance to calculate the following risk scores, either on demand or on a regular schedule:
Represents the current level of risk related to access and security that your organization is exposed to based on the risk factors and risk weights you have defined.
Represents the current level of risk related to access and security of each application that your organization is exposed to based on the risk factors and risk weights you have defined.
Represents the current level of risk related to access and security for each user that your organization is exposed to based on the risk factors and risk weights you have defined.
NOTE: Objects and policies whose risk was not set are not considered in calculations. Only objects and policies with zero or greater than zero value is included in calculations. For example, if a user has two accounts with 50 and “Not set” as respective risk value, then the average Base Score calculation for Risk of accounts assigned to the user will be 50 as the second account will be ignored as its value was not set.
Risk factors, metrics that affect a risk score, apply to specific items and can have a positive or negative impact on the item's risk score. The weight of a risk factor is the percentage of an item's risk that the factor comprises. The maximum value for any risk factor component is the maximum risk score for the item multiplied by the percentage weight of the factor. For example, an organization specifies that user risk score has a maximum value of 1000 and 3 risk factors of equal weight. Each risk factor can only account for one third of the user's risk score.
For some risk factors, Identity Governance uses either the average value or the maximum value for that factor, based on which one you select. Other risk factors use a range of values that you set. When you assign a weight to a risk factor, such as Number of unmapped accounts, Identity Governance then looks at the range you have specified. If the value of the risk factor is at or above the high range, Identity Governance applies the full weight for that risk factor to the risk score. If the value is below the high range, Identity Governance applies a percentage of the weight that is appropriate to the percentage of the high range for the value. If a risk factor value is at or below the low range, that factor does not add anything to the risk score.
You can use the following risk factors to control how Identity Governance calculates risk scores in your environment.
|
Governance Risk Factors |
Risk Factor Type |
|---|---|
|
User risk scores |
Average or Max |
|
Application risk scores |
Average or Max |
|
Account risk scores |
Average or Max |
|
Business role risk scores |
Average or Max |
|
Technical role risk scores |
Average or Max |
|
Permission risk scores |
Average or Max |
|
Number of unmapped accounts |
Low to high range |
|
Number of unauthorized assignment (permission and technical role) |
Low to high range |
|
Number of outstanding SOD violations |
Low to high range |
|
Number of expired certification violations |
Low to high range |
|
Total number of certification violations |
Low to high range |
|
Number of no decision certification violations |
Low to high range |
|
Number of not reviewed certification violations |
Low to high range |
|
Application Risk Factors |
Risk Factor Type |
|---|---|
|
Risk of assigned permissions in application |
Average or Max |
|
Risk of accounts in application |
Average or Max |
|
Number of unmapped accounts |
Low to high range |
|
Number of permissions in the application |
Low to high range |
|
Number of exceptions (access not authorized by policy) |
Low to high range |
|
Number of expired certification violations |
Low to high range |
|
Total number of certification violations |
Low to high range |
|
Number of no decision certification violations |
Low to high range |
|
Number of not reviewed certification violations |
Low to high range |
|
Collected application risk score attribute |
Application attribute. Typically, application risk. |
|
User Risk Factors |
Risk Factor Type |
|---|---|
|
Risk of permissions assigned to user |
Average or Max |
|
Risk of accounts assigned to user |
Average or Max |
|
Number of outstanding SOD violations |
Low to high range |
|
Number of exceptions (access not authorized by policy) |
Low to high range |
|
Number of permissions assigned to the user |
Low to high range |
|
Number of business roles the user is in |
Low to high range |
|
Collected user risk score attribute |
Value |
|
Number of expired certification violations |
Low to high range |
|
Total number of certification violations |
Low to high range |
|
Number of no decision certification violations |
Low to high range |
|
Number of not reviewed certification violations |
Low to high range |
|
Days past expired certification |
Impact |
Identity Governance performs separate calculations to determine an overall governance risk score and overall risk scores for each application and user.
NOTE:Large data sets can result in long calculation times. Identity Governance allows you to click Cancel to stop a risk score calculation in progress. If you have a large data set, consider scheduling risk score calculation at a time outside of normal business hours. See Section 21.4, Setting and Viewing Risk Calculation Schedules and Status.
The calculations use the following variables:
RFV: raw risk factor value
LL: lower boundary (typically 0)
UL: upper boundary (100)
URL: upper risk level value from risk level configuration
FW: factor weight as a percentage
RRFV: ranged risk factor value
RIS: raw impact score. This is set to the impact value of the first interval range that matches the RFV.
NPA: number of assigned permissions
Calculations include the following scores:
FRS: factor risk score
RS: overall entity risk score calculated as sum of all configured risk factor scores for the specific entity with FW > 0
FRS = RRFV * FW/100 where:
RRFV = URL if (RFV - LL) > 0 is true and (RFV - UL) >= 0 is true
RRFV = 0 if (RFV - LL) > 0 is false
RRFV = RFV*URL/(UL-LL) if (RFV - LL) > 0 is true and (RFV - UL) >= 0 is false
Example
When:
RFV is equal to NPA
LL = 0
UL = 50
URL = 500
FW = 100
Then:
For NPA = 15, RFV = 15 and 15 - 0 > 0 is true and 15 - 50 >=0 is false; RRFV = 15*500/(50-0) = 150 and FRS = 150*100/100 = 150
For NPA = 50, RFV = 50, and 50 - 0 > 0 is true and 50- 50 >=0 is true; RRFV = 500 and FRS = 500*100/100 = FRS = 500
For NPA = 0, RFV = 0, and 0 - 0 > 0 is false; RRFV = 0 and FRS = 0*100/100 = 0
FRS = RFV * FW/100
NOTE:This score is supported only for the overdue violations risk factor.
FRS=RIS * FW/100
Example
User has the following types of certification policy violations:
No decision violation - 1
Overdue 5 days violation - 1
Overdue 15 days violation - 2
Overdue 100 days violation - 3
Interval is configured as:
Impact 200 for violations overdue 1 to 100 days
Impact 400 for violations overdue over 101 days
FW is set to 100.
Based on the above conditions:
RFV will be set to 100 because the certification policy violations max number of days overdue is 100
RIS will be set as 200 because RFV = 100 is within the first interval range
FRS = 200*100/100 = 200
RS = SUM(FRS) where FW > 0
Keep in mind the following notes about raw score values:
For average or max risk factor types, the raw score will be set to either the average or maximum value of all values for a specific calculation. For example, if the administrator has configured that the risk of permissions assigned to users be averaged, Identity Governance averages the permission risk values for each user in the catalog and reports this number as the raw score.
For low to high range risk factor types, the raw score will be the value for a specific measure. For example, for the Number of outstanding SOD violations risk factor, the base score will be equal to the total number of outstanding SoD violations.
For value risk factor types, the raw score will be set to a value. For Collected user risk score attribute factor it will be set to the value of the user attribute configured in the risk factor. For the Risk attribute it will be set to the collected risk value. For any other attribute, it will be set to the collected or curated value at calculation time.
For impact risk factor types, the raw score will be set to a number of days.
Keep in mind the following notes about ranged scores:
For low to high range risk factor types, the ranged score will depend on upper and low boundaries configured for a factor. The upper boundary is the value at which risk is maximal. Risk level has a boundary and factors have a boundary.
The calculation compares the value to the upper bound to scale it. If the value is at or above the bound, it will apply the full weight to the target raw risk score. If the value is below the upper bound, it will determine the percentage of the upper bound (max risk) that the raw score represents and use that to determine the range to apply.
The lower bound indicates that this factor is below threshold and should not have any effect on the risk score.
For impact risk factor types, the raw score will be evaluated against the configured interval and proper impact will be determined.
Identity Governance provides several ways you can visualize the risk factors in your environment. In most areas, you can also drill down to details that show you more context for how Identity Governance has assessed the risk.
As a separate tab on User and Application details pages
As a governance risk score, and trend graph if multiple scores exist, displayed on the Governance Overview dashboard
As a governance risk score and context information on the Risk policy administration page
Identity Governance assigns a color code to each risk level ranging from blue at the low end to red at the high end. These colors display with risk scores to help you further understand how the score fits into your customized risk level ranges.